[c-nsp] help on NAT rate limiting

Rodney Dunn rodunn at cisco.com
Thu Dec 30 12:49:39 EST 2004 

CSCsa51150
Externally found severe defect: New (N)
NAT translation not timing out correctly when a TCP session closes
Full text of defect  

has been filed for this.

Rodney


> This appears to be the difference.
> 
> When the RST/FIN comes in bofore the
> translation is timed out more aggressively
> even though the default timeout is still
> 24 hours.
> 
> I'm checking to see why this change was done.
> 
> So the default really didn't change for the global
> translation timeout.
> 
> The aggressive timer when a close happens appears
> to have for some reason.
> 
> 
> I'll let you know what I figure out....
> 
> 
> In 12.2(12) if I have overload and a TCP
> session the timout looks like this after
> the session is closed:
> 
> 101_#sh ip nat trans ver
> Pro Inside global      Inside local       Outside local      Outside global
> tcp 3.3.3.1:11004      1.1.1.1:11004      3.3.3.2:23         3.3.3.2:23
>     create 00:00:10, use 00:00:06, left 23:59:53, Map-Id(In): 1,
>     flags: 
> extended, use_count: 0
> 
> Close the session:
> 
> 101_#sh ip nat trans ver
> Pro Inside global      Inside local       Outside local      Outside global
> tcp 3.3.3.1:11004      1.1.1.1:11004      3.3.3.2:23         3.3.3.2:23
>     create 00:00:16, use 00:00:01, left 00:00:58, Map-Id(In): 1,
>     flags: 
> extended, timing-out, use_count: 0
> 101_#sh ver | incl IOS
> IOS (tm) Solaris Software (UNIX-JS-M), Version 12.2(12), RELEASE SOFTWARE (fc1)
> 101_#
> 
> so it will age out in 1 minute.
> 
> 
> Now on 12.3(12):
> 
> 101_#sh ip nat trans ver
> Pro Inside global      Inside local       Outside local      Outside global
> tcp 3.3.3.1:11005      1.1.1.1:11005      3.3.3.2:23         3.3.3.2:23
>     create 00:00:07, use 00:00:03, left 23:59:56, Map-Id(In): 1,
>     flags: 
> extended, use_count: 0
> 101_#!close the session
> 101_#sh ip nat trans ver
> Pro Inside global      Inside local       Outside local      Outside global
> tcp 3.3.3.1:11005      1.1.1.1:11005      3.3.3.2:23         3.3.3.2:23
>     create 00:00:16, use 00:00:06, left 23:59:53, Map-Id(In): 1,
>     flags: 
> extended, use_count: 0
> 
> The translation will not time out for 24 hours even after the session
> is closed.
> 
> 
> On Wed, Dec 29, 2004 at 03:53:47PM -0500, Rodney Dunn wrote:
> > I missed that in the long response.
> > 
> > Let me take a look and see what I
> > can find.
> > 
> > Rodney
> > 
> > On Wed, Dec 29, 2004 at 01:06:17PM -0700, james edwards wrote:
> > > 
> > > ----- Original Message ----- 
> > > From: "Rodney Dunn" <rodunn at cisco.com>
> > > To: "Ted Mittelstaedt" <tedm at toybox.placo.com>
> > > Cc: <cisco-nsp at puck.nether.net>
> > > Sent: Wednesday, December 29, 2004 8:14 AM
> > > Subject: Re: [c-nsp] help on NAT rate limiting
> > > 
> > > 
> > > > 12.3 what.  I need the exact version so
> > > > I can verify on some bugs that are listed.
> > > > 
> > > 
> > > Looks like 12.3.12 to me:
> > > 
> > > The only other thing I can think might possibly be the explanation
> > > here is that there's a bug in IOS 12.3 where the translator is
> > > missing some of the tcp connection close commands.  But, this is
> > > IOS 12.3.12 and I've had this same problem on earler 12.3 versions
> > > on a 1600 series at a different customer - I switched back to 12.1
> > > on that one.  I find it hard to believe such a glaring bug (which
> > > basically makes nat useless in a default configuration) would not
> > > have been found after twelve iterations of IOS!!!

More information about the cisco-nsp mailing list